Hello I'm trying to capture the ip address from the PXE log example shown. I want to also trim any preceding 0 so I can use the ip as an index. I feel I'm pretty close on this one. Log sample: Operation: BootRequest (1) Addr type: 1 Addr Len: 6 Hop Count: 0 ID: 0001E240 Sec Since Boot: 65535 Client IP: 018.087.789.006 Your IP: 000.000.000.000 Server IP: 178.187.178.874 Relay Agent IP: 000.000.000.000 Addr: 87:f3:78:a5:78:b2: Magic Cookie: 63878263 Splunk Search: index="*********" source="D:\\SMS_DP$\\sms\\logs\\SMSPXE.log" | rex field=_raw "Addr: (?<Time>\d.{16})" | rex field=_raw "Addr: (?<PXE_MAC>\d.{16})" | rex field=_raw "Type=97 UUID: (?<PXE_UUID>\d.{33})" | rex field=_raw "Client IP: (?<PXE_IP>\d.{14})" | rex field=PXE_IP "^(?<PXE_IP_MOD>\b0+(\d+))" | rex field=_raw " date=\"(?<PXE_Date>\d.{9})" | rex field=_raw "><time=\"(?<PXE_Time>\d.{7})" | rex field=_raw "Type=53 Msg Type: (?<PXE_Traffic>\w.{4})" | rex field=_raw "Type=93 Client Arch: (?<PXE_Arch>\w.{3})" | where isnotnull(PXE_Traffic) | rename host as PXE_Host | table PXE_Host,PXE_Traffic,PXE_MAC,PXE_IP,PXE_IP_MOD,PXE_UUID,PXE_Arch,PXE_Date,PXE_Time | sort by PXE_Date, PXE_Time desc Regex: regex101: build, test, and debug regex
... View more
